Re: [PATCH v18 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execvefrom granting privs

From: Kees Cook
Date: Thu Apr 12 2012 - 18:17:05 EST


On Thu, Apr 12, 2012 at 2:47 PM, Will Drewry <wad@xxxxxxxxxxxx> wrote:
> From: Andy Lutomirski <luto@xxxxxxxxxxxxxx>
>
> With this change, calling
>  prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)
> disables privilege granting operations at execve-time.  For example, a
> process will not be able to execute a setuid binary to change their uid
> or gid if this bit is set.  The same is true for file capabilities.
>
> Additionally, LSM_UNSAFE_NO_NEW_PRIVS is defined to ensure that
> LSMs respect the requested behavior.
>
> To determine if the NO_NEW_PRIVS bit is set, a task may call
>  prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0);
> It returns 1 if set and 0 if it is not set. If any of the arguments are
> non-zero, it will return -1 and set errno to -EINVAL.
> (PR_SET_NO_NEW_PRIVS behaves similarly.)
>
> This functionality is desired for the proposed seccomp filter patch
> series.  By using PR_SET_NO_NEW_PRIVS, it allows a task to modify the
> system call behavior for itself and its child tasks without being
> able to impact the behavior of a more privileged task.
>
> Another potential use is making certain privileged operations
> unprivileged.  For example, chroot may be considered "safe" if it cannot
> affect privileged tasks.
>
> Note, this patch causes execve to fail when PR_SET_NO_NEW_PRIVS is
> set and AppArmor is in use.  It is fixed in a subsequent patch.
>
> Signed-off-by: Andy Lutomirski <luto@xxxxxxxxxxxxxx>
> Signed-off-by: Will Drewry <wad@xxxxxxxxxxxx>
> Acked-by: Eric Paris <eparis@xxxxxxxxxx>

Acked-by: Kees Cook <keescook@xxxxxxxxxxxx>

--
Kees Cook
ChromeOS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/